A new Government Accountability Office (GAO) report found that the Office of Congressional Workplace Rights (OCWR) failed to incorporate cybersecurity management practices into the planning of its Secure Online Claims Reporting and Tracking E-filing System (SOCRATES) project.
OCWR did not finalize and use a drafted SOCRATES project schedule to manage its cybersecurity activities – that include time frames for conducting IT system security assessments – or document project cybersecurity risks. OCWR began the SOCRATES project to upgrade its legacy claims system.
“These weaknesses were due, in part, to a lack of policies and procedures for IT project planning,” GAO wrote. “Until OCWR establishes and implements such policies and procedures, it will continue to have a limited ability to effectively manage and monitor the completion of cybersecurity activities for its IT projects.”
GAO also found that OCWR didn’t fully implement oversight activities for the Facility Management Assistant, which is a system used by the agency to “document occupational safety and health violations.”
Five recommendations were made to OCWR, which remain open, to address these cybersecurity management weaknesses. OCWR leadership should:
- Ensure development and implementation of cybersecurity policies and procedures;
- Ensure the development and implementation of oversight procedures for externally-operated systems;
- Establish “roles and responsibilities for a risk executive function;”
- Develop and implement a cybersecurity risk management strategy; and
- Commit to a time frame for developing and implementing policies and procedures for managing cybersecurity risks.